Security Experts:

Self-Healing Cybersecurity Systems: A Pipe Dream or Reality?

Cybersecurity has been a priority for organizations for many years. According to Gartner, organizations are expected to spend $150.4 million on IT security and risk management technologies in 2021, which would reflect a 12.4 percent increase compared to 2020. Yet, despite these investments in security controls, cyber-attacks keep coming. In fact, cyber criminals took advantage of the shift to a pandemic-defined work environment by launching a wave of new cyber-attacks, leveraging tactics such as phishing, ransomware, and credential stuffing. Their primary target for their attacks – remote workers and their endpoint devices, which serve as an access point to an enterprise’s network. 

Ensuring that the increased number of remote endpoints are kept secure and avoid becoming an entry point for hackers to compromise the network, is overwhelming for many IT teams. They are often allocated to big-ticket items such as servers and cloud-based databases to protect. Thus, it is not surprising that the concept of self-healing cybersecurity systems is appealing to many IT and security professionals, as they are seeking ways to cut the time and effort needed to protect distributed infrastructures. So how close are we to self-healing cybersecurity systems? 

When establishing visibility and security controls across endpoints, IT and security professionals need to understand that each endpoint bears some or all responsibility for its own security. This is different from the traditional network security approach, in which case established security measures apply to the entire network rather than individual devices and servers. At a minimum, organizations therefore should deploy simple forms of endpoint security like anti-virus or anti-malware software across their entire fleet of devices. Many organizations are going beyond these simple measures and nowadays leverage modern endpoint security technology that encompasses encryption, intrusion detection, and behavior-blocking elements to identify and block threats and risky behavior, either by end users or intruders.

Self-Healing Cybersecurity Systems Defined

However, human error, malicious actions, and decayed, insecure software, often impede the efficacy of these security controls. Thus, Forrester Research recommends taking a pro-active approach to endpoint security by leveraging self-healing capabilities for endpoint devices, mission-critical security controls, and productivity applications. According to the 2021 Absolute Endpoint Risk Report (PDF), in organizations without these self-healing capabilities in place, one in four endpoint devices reported unhealthy applications at any given time, including critical protections.

Self-healing cybersecurity systems are devices or software components that can sense they are not operating optimally and, without human intervention, make the adjustments needed to resume normal operations. This can be achieved through pro-active monitoring to quickly gauge deviations from standard configuration settings and either repair or re-install the impeded component to revert the system back to a steady-state. This is at least the promise of self-healing cybersecurity systems that is being promised by many security vendors to appeal to their buyer’s needs for automation. Unfortunately, reality does not always match the hype. Therefore, IT and security teams should conduct due diligence before investing in a self-healing technology.  

Beware the Different Flavors of Self-Healing

Nowadays, many security vendors offer solutions that scan the endpoint and/or installed software components for any signs of decay, software collision, and potential or actual breach. Anomalies are discovered based on comparative analysis with a prior established baseline or behavior-based detection to trigger automated remediation actions. Obviously, these self-healing capabilities offer tremendous benefits to IT and security teams when it comes to improving their help desk services, asset management, or security control efficacy. 

However, what ultimately differentiates self-healing cybersecurity systems is their relative level of ability to prevent the same factors that they are built to protect against - human error, decay, software collision, and malicious activities. In the end, they are just another software application. It is therefore important to select solutions that can persist in the face of hostile external factors. To achieve this state of hardening, self-healing capabilities should be embedded in the firmware of the endpoint, shielding it from any intentional or unintentional manipulation. In turn, whenever an end user starts their endpoint, the self-healing technology should validate the integrity of the BIOS code to safeguard the computer from external compromise, making it undeletable and therefore superior to self-healing technologies that are not rooted in the firmware of the endpoint. The device’s firmware is a relatively privileged location that requires close partnerships with device manufacturers to gain access to. Few vendors will have this privilege. 


Making each endpoint resilient is paramount to implementing a successful defense strategy. In this context, self-healing cybersecurity systems represent a major security and IT productivity advancement, allowing organizations to streamline the management and protection of today’s highly distributed infrastructures. However, not all self-healing cybersecurity systems are built equally. Organizations should insist that their vendor of choice demonstrates persistence capabilities before making a final purchase decision.

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).